I saw a question like this posted to the list a few months back without
resolution, but maybe someone else has also hit it by now.
I'm trying to setup web access to a set of folders for a large number
of users and it's not working as expected. It seems to be a
permissions issue, and I may be missing some essential concept (any
pointers to good documentation appreciated).
I have four folders, and four groups of users:
/Volumes/Shared/Staff - used by group Faculty
/Volumes/Shared/Class of 2006 - used by group classof2006
/Volumes/Shared/Class of 2007 - used by group classof2007
/Volumes/Shared/Class of 2008 - used by group classof2008
Each of these groups has a couple hundred users, each with a primary
group of one of the above, and each of these folders has sub-folders,
named by user, set to be owned by the user, group set to their
appropriate group, 750 permissions.
So, to make this browsable, I have:
/Volumes/Shared/WebHome/
containing symlinks to the above folders (there's other stuff in
/Volumes/Shared that can't be browseable).
So, I have a new site on port 443 defined, with /Volumes/Shared/WebHome
as the document root, allowing indexes. This gets me a nice list of
the four folders I need when I connect via HTTPS. That part works
fine.
I defined a new Realm for each of the groups/folders and assigned
corresponding paths and group ownership in the GUI. That seems to
generate a nice apache virtualhost with the correct 'require group'
statements for the correct directories and methods.
However, when I try to access a group folder, I get re-authentication
requests. Looking at the apache logs, it tries to authenticate first,
then fails, falls over to a 'legacy' method, that succeeds, and then it
decides the user doesn't have permission to access the folder.
Based on the previous post which claimed group support was totally
broken, I added a user to the Realm directly. Like this, the user can
descend into his Group folder but cannot descend into his user folder.
If I put in the wrong password, I immediately get an Authorization
Failed error page, instead of a re-authenticate request, so I know the
password authentication is at least succeeding.
If I had to theorize I'd guess the mod_auth_apple module isn't
correctly passing on the user's group information to Apache, but that's
a black box I can't see how to look into short of running Apache -X
with a ktrace on it, and I'm not sure the results would be elucidating
there.
Some things I've tried to troubleshoot:
WebDAV on and off
Just setting a class folder to be the Document Root, in case symlinks
were a problem - didn't work either.
Adding the WWW user to the users' groups.
Cranking up the debug level on the error log - no additional information
su'ing to the user - he can see his folders,groups, etc. just fine at
the unix level (works very well)
Adding 'Can Author' privileges (no help, but slick apache config file
manipulation!)
So, if anyone has run across this before or sees what I'm obviously
missing, please make a suggestion.
